Adding `systemd-importd` to the build, so that `machinectl`s `import-.*`
may actually do anything. Currently they fail with
```
Failed to transfer image: The name org.freedesktop.import1 was not provided by any .service files
```
as `systemd-importd` is not built. Also registers the regarding dbus
api and service in the systemd module.
This enlarges the system uid/gid range 6-fold, from 100 to 600 ids. This
is a preventative measure against running out of dynamically allocated
ids for NixOS services with isSystemUser, which should become the
preferred way of allocating uids for non-real users.
The new systemd in 19.09 gives an "Access Denied" error when doing
"systemctl daemon-reexec" on an 19.03 system. The fix is to use the
previous systemctl to signal the daemon to re-exec itself. This
ensures that users don't have to reboot when upgrading from NixOS
19.03 to 19.09.
On aarch64 we "leak" a reference to $out/lib/systemd/catalog in the lib
output. The result of that is a dependency cycle between $out and $lib.
Thus nix (rightfully) marks the build as failed. That reference
originates from an array of strings (catalog_file_dirs) in systemd
(src/src/journal/catalog.{c,h}). The only consumer (as of v242) of the
symbol is the main function of journalctl. Still libsystemd.so contains
the VALUE but not the symbol. Systemd seems to be properly using
function & data sections together with the linker flags to garbage
collect unused sections (-Wl,--gc-sections). For unknown reasons those
flags do not eliminate the unused string constants, in this case on
aarch64-linux. The hacky way is to just remove the reference after we
finished compiling. Since it can not be used (there is no symbol to
actually refer to it) there should not be any harm. It is a bit odd and
I really do not like starting these kind of hacks but there doesn't seem
to be a straight forward way at this point in time.
The reference will be replaced by the same reference the usual nukeRefs
tooling uses. The standard tooling can not / should not be uesd since
it is a bit too excessive and could potentially do us some (more) harm.
We are currently not running any tests but building them takes
signitifcant amounts of time since they account to about 40% of all the
compilation targets.
The current approach will fail when enough time has passed. We ideally
want to be reproducible even in a few years of time. So we should pick
the sources of patches wisely as otherwise we can not do that.
Fixes CVE-2018-15688 and updates latest upstream stable v239 branch.
See https://github.com/NixOS/systemd/pull/24 for details.
Co-authored-by: Andreas Rammhold <andreas@rammhold.de>